Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41899

CVE-2026-41899: Coolify Authentication Bypass Vulnerability

CVE-2026-41899 is an authentication bypass flaw in Coolify that allows unauthenticated API access, enabling spam and webhook abuse. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-41899 Overview

Coolify is an open-source, self-hostable platform for managing servers, applications, and databases. CVE-2026-41899 affects the POST /api/feedback endpoint in versions prior to 4.0.0-beta.474. The endpoint lacks authentication, rate limiting, and input validation. Attackers can forward arbitrary content directly to the configured Discord webhook, enabling spam, content injection, and webhook abuse. The issue is fixed in version 4.0.0-beta.474. The weakness is categorized as Missing Authentication for Critical Function [CWE-306].

Critical Impact

Any unauthenticated remote attacker can abuse the feedback API to relay arbitrary messages through the operator's Discord webhook, creating opportunities for spam floods, phishing content injection, and reputational damage to the Coolify instance owner.

Affected Products

  • Coolify versions prior to 4.0.0-beta.474
  • Deployments with the feedback_discord_webhook constant configured
  • Self-hosted Coolify instances exposing the /api/feedback route to untrusted networks

Discovery Timeline

  • 2026-07-06 - CVE-2026-41899 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-41899

Vulnerability Analysis

The vulnerability resides in the feedback method of app/Http/Controllers/Api/OtherController.php. The controller reads the content field from the incoming request and forwards it directly to a Discord webhook using Http::post(). No authentication middleware guards the route, no throttle is applied, and no validation constrains the payload length or type. An attacker sending high-volume POST requests can flood the operator's Discord channel with arbitrary messages. Because the content is passed through unchanged, attackers can also inject Discord mentions such as @everyone or @here to amplify disruption, or embed phishing links that appear to originate from the trusted operator channel.

Root Cause

The root cause is missing authentication and missing input validation on a server-side webhook relay. The controller trusts unauthenticated user input and treats it as safe outbound content. Without rate limiting, a single attacker can send unlimited requests, exhausting Discord webhook quotas and generating noise that hides legitimate feedback.

Attack Vector

Exploitation requires only network access to the Coolify API. An attacker sends repeated HTTP POST requests to /api/feedback with attacker-controlled content. Each request is proxied to the configured Discord webhook, delivering the attacker's payload to the operator's channel.

php
// Security patch in app/Http/Controllers/Api/OtherController.php
// refactor(api): validate and throttle feedback endpoint (#9653)
 public function feedback(Request $request)
 {
-    $content = $request->input('content');
+    $data = $request->validate([
+        'content' => ['required', 'string', 'min:10', 'max:2000'],
+    ]);
+
     $webhook_url = config('constants.webhooks.feedback_discord_webhook');
     if ($webhook_url) {
-        Http::post($webhook_url, [
-            'content' => $content,
+        Http::timeout(5)->post($webhook_url, [
+            'content' => $data['content'],
+            'allowed_mentions' => ['parse' => []],
         ]);
     }
 }
// Source: https://github.com/coollabsio/coolify/commit/371e883c75a87d82c398bf89ee8ad6387348520d

The patch adds strict validation on content length, enforces a request timeout, and disables Discord mention parsing by setting allowed_mentions to an empty parse list. A companion change in app/Livewire/Help.php caps the subject field length to prevent oversized submissions from the UI path.

Detection Methods for CVE-2026-41899

Indicators of Compromise

  • Bursts of unauthenticated POST requests to /api/feedback from a single or small set of source IP addresses
  • Discord channel messages containing @everyone, @here, or suspicious external URLs delivered through the Coolify feedback webhook
  • Unusually large or repeated identical content payloads in Coolify web server access logs

Detection Strategies

  • Parse web server or reverse proxy logs for requests to /api/feedback and alert when request rate exceeds a baseline threshold per source IP.
  • Monitor Discord webhook delivery logs for message volume anomalies tied to the feedback channel.
  • Correlate application logs with outbound HTTP calls to discord.com/api/webhooks/* to detect proxied abuse.

Monitoring Recommendations

  • Enable structured logging of all /api/feedback requests including source IP, User-Agent, and payload length.
  • Configure alerts on Discord webhook rate-limit responses (HTTP 429) originating from the Coolify host.
  • Track versions of deployed Coolify instances to confirm they are running 4.0.0-beta.474 or later.

How to Mitigate CVE-2026-41899

Immediate Actions Required

  • Upgrade Coolify to version 4.0.0-beta.474 or later, which validates and throttles the feedback endpoint.
  • If upgrade is not immediately possible, rotate the Discord webhook URL configured in feedback_discord_webhook to invalidate any URL already known to attackers.
  • Restrict network access to the Coolify API using a reverse proxy allowlist or firewall rules while patching is scheduled.

Patch Information

The fix is delivered in Coolify 4.0.0-beta.474 through pull request coollabsio/coolify#9653 and commit 371e883c. Details are documented in the GitHub Security Advisory GHSA-v64c-v633-58xp. The patch enforces a content length between 10 and 2000 characters, applies a 5-second HTTP timeout, and disables Discord mention parsing.

Workarounds

  • Temporarily unset feedback_discord_webhook in the Coolify configuration to disable the relay entirely until the upgrade is applied.
  • Apply reverse proxy rate limiting on the /api/feedback route, for example with Nginx limit_req or Traefik middleware.
  • Block or challenge unauthenticated POST requests to /api/feedback at the web application firewall.
bash
# Nginx rate-limit example for the vulnerable route
limit_req_zone $binary_remote_addr zone=feedback:10m rate=5r/m;

location /api/feedback {
    limit_req zone=feedback burst=5 nodelay;
    limit_req_status 429;
    proxy_pass http://coolify_upstream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.